AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence against
- `package.json` has only `prepublishOnly`; no install lifecycle hook.
- `dist/index.js` exports push functions; network calls occur only when those APIs are invoked.
- FCM credentials are caller-provided configuration and used only for Firebase authentication.
- No filesystem access, subprocesses, dynamic code execution, persistence, or AI-agent configuration mutation found.
Behavioral surface
Supply chainMinifiedTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 7.50 KB of source, external domains: exp.host, fcm.googleapis.com, oauth2.googleapis.com, www.googleapis.com